If you're really concerned about all of this, don't bother with smartphones and use primitive handsets from the dark ages of the late 90s/early 2000's where no one would ever know (sure its a brick with an extendable antennae that you have to pull out to make a phone call, but impossible to brick right?)
–
t0mm13bJun 30 '12 at 1:21

3 Answers
3

... Google's native apps on Android phones are designed to use the phone
itself to sign in and out. If you're concerned about account security
on your phone I recommend you add a lock pattern or PIN to your phone
(visit Settings > Location & security settings to set these up).

If you want to disassociate your account you can perform a factory reset, which will erase all of your personal data and require you to set up the account again. This isn't really practical as a "sign out" method, though, since you'd have to completely re-create the account to access it.

I suppose you could also go to a web browser and change your Gmail password to effectively "log out" your phone and prompt for the new password, but then you'd have to change it after every time you've accessed the Gmail app. Again, not practical.

Being "logged in" is a misconception. Even when you are "logged in" when you use a browser, this is handled by the storage of a cookie with an authentication token stored in it. On the device is sort of the same, except it is not a "cookie". When you set up your account, an authentication token is requested and stored on the device. A new token can also be exchanged at other times, but you are unaware that it even happens.

When the applications, like gmail, go and check for new mail, they use that token to tell the gmail servers that you are "you". The reason you can't "sign out" is because then you would not be able to check for new mail, get application updates and other things like that that happen in the background. If you were to sign out, then every couple minutes you would have to put in your credentials so your device could check for updates and new mail.

A large set of the services built-in to android use your authentication token. Even when you create, edit, or delete a contact on your device, because it syncs that data to your account on google servers. Calendar appointments, gTalk, Google Voice, the search widget, voice-to-text, push notifications (for just any service that uses C2DM), and any other service that may show up under your google account in Accounts & Sync can and will need this authentication token at any given time.

It is more like you are logged in to your PC (Windows, Linux, OSX) then logged in to any particular google service.

So everyone who has that token can go into my mail account with it?
–
zsadFeb 1 '12 at 17:07

2

How would they get your token? But, yes, in theory, if someone got a currently valid token for you, then they could access your data. All of the communications that google uses for your information is over HTTPS so the data is encrypted. Tokens are unique to you, someone else will not get "your token".
–
Ryan ConradFeb 1 '12 at 17:32

A large set of the services built-in to android use your authentication token. What about "any" app? Can some (malicious) installed application get to the token and send it somewhere for someone to use?
–
zsadFeb 1 '12 at 17:53

1

Any "normal" application, can use your account to authenticate you, but google still limits the data that could be accessed. Even if it was something like getting contacts, you would see in the applications permissions that it needed access to contacts, and if the app is not something that would need that information, then don't install it.
–
Ryan ConradFeb 1 '12 at 18:00

2

But your PC can't get stolen/lost that easily. Everything you listed doesn't explain why you can't add the option to 'sign out' - invalidate your token (the same way you do on a browser) - when you want to (e.g., when you turn off your phone), while being aware that while you are 'signed out' some features will not work. This is security 101.
–
AsafFeb 23 '12 at 8:42

The primary advantage of Gmail being a native app is that it keeps your emails synchronized and for getting new mail notifications, but if you really don't want to stay logged in and can accept that not being logged on means you won't get synchronizations or notifications, then just don't use the Gmail app. You can check your email through Gmail's mobile webmail instead.